|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Internet Explorer Forum Internet Explorer Support. |
 |
|
|
LinkBack | Thread Tools |
08-25-2004, 11:03 AM
|
#1 (permalink) |
|
Registered User
Join Date: Aug 2004
Posts: 3
OS: win2000
|
Kill your-searcher.com
I am running windows 2000. I got infected by your-searcher.com. I've spent a countless hours in revoming this from my system, but failed. How to clean it in windows 2000? Many of solution is for windows xp. Thanks.
|
|
     
|
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
08-25-2004, 11:17 AM
|
#2 (permalink) |
|
Analyst, Security Team
|
Welcome to TSF.
Please download Adaware and install it if you don’t have it already. Make sure it’s the newest version and check for any updates before running it. Download the VX2 Cleaner Add-On and follow the online instructions to install it properly. Also make sure to customize the settings in Adaware for better scan results. Run the scan and fix everything that it finds. Restart and download HijackThis. Create a folder at C:\HJT and move HijackThis.exe there. Run a scan and save the log file. Post the whole log file here. Do not fix anything since most of them listed there are harmless (some are system required). This program will help us determine if there is any spyware/malware on your computer.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
08-25-2004, 11:18 AM
|
#3 (permalink) |
|
Manager, Microsoft Support
Join Date: Jul 2002
Location: Knoxville, TN or Austin, TX depending
Posts: 7,049
OS: WinXP Pro SP3 and Windows 7
 |
i'm sure others here can go into more detail than me, since i have rather little experience with spyware/malware...you can download Adaware and try that if you haven't already
there's another program i've used Spybot Search and Destroy It's found things on my computer that fully updated adaware didn't. I don't know if these will get rid of that your-searcher.com since from what you say it isn't normal spyware i'm sure there is someone else here with more knowledge on teh subject here is a semi-related thread you might want to read up on bah greyknight beat me to it 
__________________
  If TSF has helped you, Tell us about it! or Donate to help keep the site up! I do not subscribe to threads, so if I stop replying, PM me with a link to your thread so I can find it again. Last edited by elf; 08-25-2004 at 11:19 AM. |
|
|
|
|
08-25-2004, 11:19 AM
|
#4 (permalink) |
|
Analyst, Security Team
|
You could read the post that elf posted, but don't fix anything in HijackThis. Each person's log will be different.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
08-25-2004, 11:51 AM
|
#5 (permalink) |
|
Registered User
Join Date: Aug 2004
Posts: 3
OS: win2000
|
Thanks.
Thanks. This is hijack result of my computer.
Logfile of HijackThis v1.98.2 Scan saved at 1:49:12 PM, on 8/25/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\WINNT\system32\svchost.exe C:\Program Files\Dell\OpenManage\Client\Iap.exe C:\Program Files\Dell\PSM\iomgr.exe C:\PROGRA~1\Iomega\System32\AppServices.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINNT\system32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\system32\svchost.exe C:\Program Files\Dell\PSM\arcpd.exe C:\Program Files\Intel\ASF Agent\AS***ent.exe C:\Program Files\Dell\PSM\notify.exe C:\WINNT\Explorer.EXE C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\WINNT\system32\DSentry.exe C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\WINNT\system32\internat.exe C:\WINNT\system32\dmsynth.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe C:\Program Files\Trojan Remover\bjy2.exe C:\Program Files\Trojan Remover\bjy2.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Outlook Express\msimn.exe C:\Documents and Settings\Administrator\Desktop\HijackThis19802.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\system32\DSentry.exe O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe O4 - HKCU\..\Run: [Internat.exe] internat.exe O4 - HKCU\..\Run: [dmsynth] C:\WINNT\system32\dmsynth.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: winlgn.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O17 - HKLM\System\CCS\Services\Tcpip\..\{2421FF65-5E09-41E1-AF9D-01AE29ECFAC2}: NameServer = 129.49.7.3,129.49.7.250 O17 - HKLM\System\CS1\Services\Tcpip\..\{2421FF65-5E09-41E1-AF9D-01AE29ECFAC2}: NameServer = 129.49.7.3,129.49.7.250 O17 - HKLM\System\CS2\Services\Tcpip\..\{2421FF65-5E09-41E1-AF9D-01AE29ECFAC2}: NameServer = 129.49.7.3,129.49.7.250 O18 - Filter: text/html - {D9001732-211E-4FFF-8C1E-C46F5CDE472C} - C:\WINNT\system32\mkiafid.dll O18 - Filter: text/plain - {D9001732-211E-4FFF-8C1E-C46F5CDE472C} - C:\WINNT\system32\mkiafid.dll |
|
|
|
|
08-26-2004, 02:26 PM
|
#6 (permalink) |
|
Analyst, Security Team
|
Please print out or copy this page to Notepad. You should not have any open browsers when you are following the procedures below.
Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Please download Adaware and install it if you don’t have it already. Make sure it’s the newest version and check for any updates before running it. Download the VX2 Cleaner Add-On and follow the online instructions to install it properly. Also make sure to customize the settings in Adaware for better scan results. Run the scan and fix everything that it finds. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn’t be – but double check it): C:\WINNT\system32\dmsynth.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe Make sure to close any open browsers you have. Check and fix the following in HijackThis if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm O4 - HKCU\..\Run: [dmsynth] C:\WINNT\system32\dmsynth.exe O4 - Global Startup: winlgn.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O18 - Filter: text/html - {D9001732-211E-4FFF-8C1E-C46F5CDE472C} - C:\WINNT\system32\mkiafid.dll O18 - Filter: text/plain - {D9001732-211E-4FFF-8C1E-C46F5CDE472C} - C:\WINNT\system32\mkiafid.dll Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINNT\system32\dmsynth.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe C:\WINNT\system32\mkiafid.dll Reboot into Normal Mode. After that’s done, restart and post a new HijackThis log file so we can make sure it’s clean. To help prevent future spyware installations/infections, please read my anti-spyware section and use the tools provided.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
09-01-2004, 04:40 PM
|
#7 (permalink) |
|
Registered User
Join Date: Aug 2004
Posts: 3
OS: win2000
|
Thanks
It seems my computer is clean. Thanks for your help. This is the new hijack log.
Logfile of HijackThis v1.98.0 Scan saved at 6:38:18 PM, on 9/1/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\WINNT\system32\svchost.exe C:\Program Files\Dell\OpenManage\Client\Iap.exe C:\Program Files\Dell\PSM\iomgr.exe C:\PROGRA~1\Iomega\System32\AppServices.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINNT\system32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\system32\svchost.exe C:\Program Files\Dell\PSM\arcpd.exe C:\Program Files\Intel\ASF Agent\AS***ent.exe C:\Program Files\Dell\PSM\notify.exe C:\WINNT\Explorer.EXE C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\WINNT\system32\DSentry.exe C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\WINNT\system32\svchost.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\WINNT\system32\internat.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\downloads\VirusKiller\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\system32\DSentry.exe O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [Internat.exe] internat.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll O17 - HKLM\System\CCS\Services\Tcpip\..\{2421FF65-5E09-41E1-AF9D-01AE29ECFAC2}: NameServer = 129.49.7.3,129.49.7.250 O17 - HKLM\System\CS1\Services\Tcpip\..\{2421FF65-5E09-41E1-AF9D-01AE29ECFAC2}: NameServer = 129.49.7.3,129.49.7.250 O17 - HKLM\System\CS2\Services\Tcpip\..\{2421FF65-5E09-41E1-AF9D-01AE29ECFAC2}: NameServer = 129.49.7.3,129.49.7.250 |
|
|
|
|
| Thread Tools | |
|
|
